Use multi-factor authentication (MFA). Where MFA is not an option, use password managers, creating unique, long-as-possible, random passwords for each website or security domain. Where password managers aren’t possible, use long, simple passphrases. In all cases, don’t use common passwords (e.g., “password” or “qwerty”) and never reuse any password between different sites.